Optimal File Permissions
On your system you typically want to restrict your file permissions to the maximum for best security, but not as much as b2evolution will not be able to save uploaded or cached files any more.
Optimal file permissions are basically a tradeoff between security and flexibility.
Now if you list (
ls -la ) the files from your blog directory, you will see something like this:
if you look at the
cache or the
media folder for example, you will see the following info:
- The owner of those directories is "fplanque" and he has permissions "rwx" (read write execute)
- The group of those directories is "staff" and members of that group have permissions "r-x" (read & execute but not write – note that execute is necessary to be able to open the directory)
- The other users of the system have permissions "r-x" (read & execute but not write)
Now, will b2evolution be able to write the files it needs into
Well, it depends under which UNIX user account b2evolution is running!
In order to determine this, look at system status page in b2evolution. You will see something like this:
In this case, all is fine. PHP is running as "fplanque" and "fplanque" has write permissions to the cache and media directories.
Now, this is a development machine, so it was easy, but let’s suppose we now run on a server an PHP runs as user "www-data". "www-data" has only permissions "r-x", because "www-data" would be considered and an "other" user here. However, we don’t want to give write permissions to all other users, so what we may do is first change the group of the files, for example like this:
Now we would have this:
But that is not enough, because now "www-data" is the group but the group still only has the permissions "r-x".
So we now need to give write permission to the group on the desired directories (and their subdirectories):
Now we have:
"www-data" has now "rwx" access to the cache and media folders which means PHP/b2evolution will be able to write files there.
Note: we only gave "www-data" permission on these 2 directories. If we wanted to enable b2evolution to upgrade itself we would need to enable write access for all files and directories. But as long as we don’t use the Auto Upgrade feature it’s best to keep permissions tight.
Speaking of tight permissions: why did we not change the owner of the files to "www-data" so that we don’t need to change permissions for the group? Because if we did that then we would no longer we able to update our files via FTP which is not what we want either ;) (Note: we could always add "fplanque" to the "www-data" group but that would open additional security issues, so we don’t want to do that.)